Bayesian attack graphs for platform virtualized infrastructures in clouds

Bayesian attack graphs for platform virtualized infrastructures in clouds

Journal of Information Security and Applications 51 (2020) 102455 Contents lists available at ScienceDirect Journal of Information Security and Appl...
Download PDF
3MB Sizes 2 Downloads 29 Views
Report

Journal of Information Security and Applications 51 (2020) 102455

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Bayesian attack graphs for platform virtualized infrastructures in clouds B. Asvija a,∗, R. Eswari b, M.B. Bijoy c a

Centre for Development of Advanced Computing (C-DAC), Bangalore, India Department of Computer Applications, National Institute of Technology, Tiruchirappalli, India c Centre for Development of Advanced Computing (C-DAC), Bangalore, India b

a r t i c l e

i n f o

Keywords: Security Virtualization Bayesian attack graphs Risk assessment Cloud computing

a b s t r a c t Virtualization security is an important aspect to be carefully addressed while provisioning cloud services. In this paper, we propose a novel model using Bayesian Attack Graphs (BAG) to perform security risk assessment for platform virtualized infrastructures that are used for building cloud services. BAGs are powerful mechanisms that can be used to model the uncertainties inherent in security attacks. We build upon the reference conditional probability tables for the BAG nodes using the reported attacks on virtualized systems from the Common Vulnerabilities and Exposures (CVE) database. We employ Bayesian probabilistic inference techniques on the model presented and showcase the results obtained that can be used by system architects for the risk assessment of such infrastructures. In addition to the probabilistic model, we also present a deterministic approach with security metrics for attack graphs and derive the values for the modeled BAG, which can be used for assessing and comparing with other architectures. The approach described here to draw inferences from the BAG can be employed by system architects to find explanations to critical queries in security design and also to carefully select the countermeasures to be installed. The model can also be used to learn from future a-posteriori evidence data from actual security breaches to provide an efficient risk assessment. © 2020 Elsevier Ltd. All rights reserved.

1. Introduction Virtualization technology has resulted in the realization of modern day cloud computing infrastructures, with many businesses and users making an informed transition to harness the numerous advantages that the cloud paradigm can bring in, including ubiquitous access to the services [1]. Nevertheless security remains a key concern for the users of the cloud platforms and services for their critical needs. It thus becomes imminent for cloud architects to give utmost importance to including security features in the design and also mechanisms to assure the end users about the integrity and security of their data on the cloud. Virtualization security is an important aspect of cloud security [2] that is often not given the importance it deserves, as opposed to the perimeter, network and host security mechanisms installed as part of the standard data center security measures. As platform virtualization forms the fundamental technology of cloud systems that enables



Corresponding author. E-mail addresses: [email protected] (B. Asvija), [email protected] (R. Eswari), [email protected] (M.B. Bijoy). https://doi.org/10.1016/j.jisa.2020.102455 2214-2126/© 2020 Elsevier Ltd. All rights reserved.

resource sharing among multiple tenants, addressing security at this layer becomes very critical and important. While a formal analysis of the security mechanisms in cyberinfrastructures such as the cloud computing environments is vital, the decision makers have to deal with a high degree of uncertainty while modeling the security system. There is uncertainty on how the security sub systems interact with each other and influence the overall security of the infrastructure. There is also uncertainty in the accuracy of the information available during security analysis. The attacker behavior is inherently uncertain, regarding the vulnerabilities chosen for carrying out the attacks, the frequency with which the attacks are attempted and the actual components being targeted in the infrastructure. Hence to carry out security and risk assessment of such environments, the usage of a probabilistic framework which can model inherent uncertainties, becomes imminent. However active study and research has not been taken up to develop such a probabilistic model, specifically taking care of the security threats in the context of virtualized environments affecting cloud infrastructures. Bayesian Attack Graphs are effective mechanisms to carry out cyber security risk assessment and analysis. Combining the concept of modeling attack graphs as Bayesian Networks, the BAGs can

2

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

provide means for probabilistic reasoning to security scenarios in infrastructures. In this paper, we propose a framework for modeling and analyzing platform virtualization security using Bayesian Attack Graphs (BAG). We present a system and a model to systematically analyze the risks associated with virtualized infrastructures and to evaluate the countermeasures to mitigate them. The inference outcomes from BAGs can be used for prioritizing the threats associated and thus prioritizing the countermeasures to be installed in the infrastructures. New evidence data can be fed back into the model to tune it further. Our discussion in this paper provides a model which can help in realizing these activities for virtualized infrastructures. 1.1. Scope of the paper In this paper, we present a risk analysis inference model for virtualized environments based on the reported vulnerabilities in the stack. The term virtualization can also comprise of container virtualization (such as the Docker) and run-time virtualization technologies (Java VM and others). However we restrict our discussion to analyzing security risks in hypervisor based, platform virtualized environments, as it forms to be the most widely used technology to build and operate cloud data centers including the ones offering public cloud services. Container security and runtime virtualization security are distinctive technologies and thus need a separate assessment by themselves, which is out of scope of the current article. 1.2. Organization of the paper The rest of the paper is organized as follows. Section -2 enlists the related work in the field of attack graphs employed for cyber security analysis and also highlights our specific contribution through this article. We give a general introduction to platform virtualization technologies in Section 3, along with a discussion on the identified threats on these infrastructures. The threat model and the attack paths are also presented. Section 4 introduces the concept of Bayesian Attack Graphs and explains the probabilistic model that can be used for drawing explanations and inferences for the security scenarios in infrastructures. In section V, we enlist and define the important security metrics for the BAGs. Section 6 presents the BAG for platform virtualized infrastructures along with the Conditional Probability Tables derived based on the identified threats. Section 7 details the results obtained from our inference experiments on the test bed using the presented BAG model. 2. Related work and our contribution Attack Graphs have been used for carrying out cyber security analysis [3]. Liu and Man [4] and Xie et al. [5] have shown that the Bayesian network approach can be applied to the attack graphs to model security related uncertainty in networks. Xie et al. [5] have focused on presenting a model for real time security analysis with an example Bayesian Network (BN). Frigault et al. [6] have presented a theoretical model incorporating temporal factors to analyze a dynamic BNs. However these approaches do not present inference techniques to find explanations to queries by calculating the unconditional probabilities at the attack graph nodes. Mun̴ozGonzález et al. [7] have described employing exact inference techniques to analyze BAGs. They have also described using approximate inference techniques [8] to perform the inferences efficiently. Poolsappasit et al. [9] have presented new metrics for security control using the attack graphs. However all of these approaches are generic in discussion with example networks and do not take into the account of specific threats of virtualized infrastructures.

Noel and Jajodia [10] have proposed a suite of metrics for analyzing network attack graphs. However these metrics are well suited for carrying out a comparative analysis of different attack graphs. Idika and Bhargava [11] have extended the attack graph based security metrics and also present an algorithm for combining these metrics. We have employed these extended metrics to analyze the model that we present in the current article. The use of BAGs for modeling threats in virtualized systems has been presented by us in [12]. We build upon these principles to present a concrete model and employ multiple inference techniques to provide reasoning for various queries. We also present deterministic security metrics for our BAG that can be used for comparing with other architectures. A separate area of research is to devise efficient ways to create BNs through automated learning. Neapolitan [13] has discussed in detail about learning BNs. Several other works [14,15] have also focused on learning BNs. However this approach is different from ours, as we present the BN with reference CPT values based on the identified threats in virtualized infrastructures. This approach also requires the access to different security incident data and the causal relationships in those incidents in-order to facilitate the BN learning. 2.1. Our contribution We employ the concept of Bayesian Attack Graphs to derive a risk assessment model for platform virtualized infrastructures. The area of virtualization security has been researched with detailed surveys and classification of threats, while lacking a formal risk assessment model. The threats that we consider here are unique to virtualized infrastructures and thus need a careful analysis through a separate risk assessment model. Previous studies [14,15] have considered about learning the BN from existing data. However this incident data and the causality information about security breaches in cloud data centers might not be available in the public domain in its entirety, to facilitate the learning of the structure of the BN itself. Hence we present the complete model here. The main contributions of this work are as follows: (i) To the best of our knowledge, this work pioneers in modeling uncertainties in virtualization security. This will give the system architects a model through which they can estimate the risk exposure of all the identified nodes in the system. (ii) We have also carried out an extensive study of the reported threats in the field of virtualization security and have provided the values for CPT entries in the presented attack graph nodes. This can serve as a base reference model for security analysts to carry out the risk assessment of their own infrastructures with suitable modifications. (iii) We have also carried out inferences using multiple algorithms on the BAG for virtualized infrastructures and the results have been presented. This can provide valuable insights to cloud architects and also help them to realize the kind of explanations and the analyses that can be sought out from the presented model. (iv) In addition to the probabilistic inference model, we have also incorporated deterministic security metrics for the BAG which can be used by security analysts to compare and analyze multiple architectures. To our best knowledge, no prior works have presented this hybrid approach. In the further sections, we present a brief description of the platform virtualization technologies and the associated threats before introducing the readers to the proposed hybrid security model for assessing virtualized environments.

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

3. Platform virtualized infrastructures Platform virtualization refers to the set of technologies that enable the creation of multiple Virtual machines (VM) on top of the existing physical machine, by means of sharing the underlying hardware components such as the CPU, the main memory, storage disks and other I/O devices [16]. Fig. 1. shows the individual components in such an infrastructure. The VMs (also referred to as guests) thus created can be individually installed with their own Operating systems called as the Guest OS. The guest OS can be completely different from the Host OS – the operating system that gets installed on the physical hardware. The guest OS can run multiple applications that are of interest to the end user. The hypervisor or the Virtual Machine Monitor / Manager (VMM) is the central piece of software that enables virtualization. The VMs are created and coordinated using the hypervisor. In a typical cloud computing scenario, the end users are granted access only to the guest VMs that they subscribe to. However VMs that run on the same host machine share the underlying physical hardware namely the CPU and its caches, the main memory, I/O devices and others. Un-initiated guest users are usually un-aware of the other guest VMs sharing the same hardware or the details of the physical hardware itself. The hypervisor is expected to guarantee this isolation among multiple tenants. Hardware assisted virtualization is a special type of virtualization technology in which the underlying hardware provides support for enabling virtualization. This brings in efficiency to many aspects of virtualization. The Intel family of CPUs support VT extensions [17] for enabling hardware assisted virtualization. Intel’s VT-x set of extensions help in efficiently virtualizing the CPU, while the Intel EPT simplifies the memory virtualization. Intel VT-d aids in I/O and device virtualization. Owing to the efficiency it brings in, this form of virtualization is most widely used

3

for platform virtualization that forms the building block of cloud infrastructures. 3.1. Security in platform virtualized infrastructures While hardware assisted virtualization brings in the much sought efficiency in cloud computing infrastructures, it also brings in additional security threats that are unique to virtualized infrastructures. A detailed listing and review of the various threats associated with the individual components of the virtualization stack is presented in [12] and [18]. We present the threat model for virtualized infrastructures based on the various identified attacks reported at different layers of the technology stack. Fig. 1. depicts the various attack paths, the actors and the threat model for the platform virtualized infrastructures. The attack paths have been numbered from ρ 1 to ρ 9 . The actors considered in the threat model for the infrastructure are grouped into three categories: A remote attacker to the infrastructure, a malicious guest user subscribing to the cloud services and a malicious administrator of the cloud datacenter. A malicious administrator has direct access to the host machines, the hypervisor as well as the guest VMs executing in the infrastructure (paths ρ 1 , ρ 2 and ρ 7 ). A guest user, as a subscriber to the cloud services, can access his own VMs (path ρ 3 ). A remote attacker can attack an existing VM that belongs to a benign subscriber of the cloud services (path ρ 4 ). The attack can begin with Virtualization detection [19,20] and can lead to exploiting hypervisor vulnerabilities and gain access to the underlying hardware/network [21]. Path ρ 5 represents the remote attacker gaining access to the infrastructure by exploiting the hypervisor/VMM vulnerabilities [22,23,24]. Path ρ 6 represents the VM escape attacks, where in the attack results in an escalated VMM level privilege from a normal restricted guest user account [25,26]. Malicious guest users can exploit vulnerabilities in the platform

Fig. 1. Components of a Platform Virtualized Infrastructure along with the different attack paths.

4

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

firmware and obtain hardware access (path ρ 7 ) [27,28]. A malicious user, pretending to be a genuine customer, can subscribe to the cloud services and request for a VM. Co-location strategies have been discussed in detail in literature [29,30], which can help the malicious user to co-locate his VM with a victim VM of his interest. With this, the caches, memory and the I/O devices get shared between the attacker and the victim VMs. The attacker would now construct covert channels using these shared hardware devices for attacking the victim VM. Path ρ 8 represents a large family of cross VM side channel attacks that can result in data thefts and denial of services [29,30]. Attack path ρ 9 represents the case of firmware attacks and VM based rootkits that can leave the hypervisor in a compromised state [27]. It is evident from the above discussion that the virtualized infrastructures are indeed vulnerable to many attacks through multiple facets. Designing intrusion detection systems for cloud computing is also a challenge as detailed in [31] and [32]. Thus it becomes imminent to carry out security risk assessment for designing and deploying such architectures that can have multiple tenants intending to use the cloud for their critical business operations. We introduce Bayesian attack graphs for risk modeling based on these identified threats and vulnerabilities. 4. Bayesian attack graphs A Bayesian network (also called as a ‘belief network’ [33]) is a directed acyclic graph in which the individual nodes indicate random variables, while the edges between these nodes represent dependencies between the variables [5]. Formally, the Bayesian network can be expressed as a tuple, BN = < , θ >. Here  represents the graph with nodes and edges. Further  can be indicated as a pair (ν , ε ), with the set of vertices ν and ε ⊆ ν x ν , indicating the directed, non-cyclic edges between the nodes of the graph. θ represents a set of quantifying parameters for the network. Let X represent a finite set of random variables such that X = {X1 , X2 , …. Xn }. Let xi denote an instance / value of the variable Xi . If PXi denotes the set of parents of Xi in  , then θ comprises the component θxi | Px = p(xi |Pxi ), ∀xi ∈ Xi and ∀ Pxi ∈ PXi [34].

security state of the system or a compromised system component (indicated from the pointed nodes). Thus the BAG can be used to model and analyze all the possible attack paths in a system. The model can be used to infer results on possible security violations and correspondingly carry out the risk assessment for the entire infrastructure. The model can also help in identifying the different paths that the attacker can follow to reach a desired goal of break-in to the system. In the likelihood of an attack, the BAG can also be used to dynamically model the possible paths taken by the attacker to ascertain his further course of action and the likelihood of the other nodes that can get targeted. Additional preventive measures to defend these identified nodes could be commissioned by the administrators to constrain the damages caused by the attacker. Conditional Probabilities in BAG: Conditional probabilities shall be assigned at every node of the BAG, based on the information available a priori. This information can be based on the actual evidences from prior attacks on the targeted system or similar systems elsewhere. The prior probabilities can also be derived in consultation with system administrators having wide professional experience in dealing such attack scenarios. Another popular approach to derive the conditional probabilities is based on the vulnerability metrics assigned for the identified threats in the global vulnerability databases [5]. When multiple edges (exploits) are involved, the conditional probabilities of the nodes in the BAG, can be calculated using two different schemes namely the OR and the AND decompositions [9]. The AND decomposition indicates that the chances of compromising a particular node depend on the success of all the exploits from its parent nodes, while the OR decomposition indicates that the target node can be compromised by exploiting any of the vulnerabilities / threats from its parent nodes. If pe j represents the probability of exploiting a vulnerability ej , then the probabilities for these decompositions can be represented as follows [7]:







pOR Xi |PXi =

1−

0, ∀ X j ∈ PXi |X j = F   1 − pe j , otherwise

(3)

j:X j

i

Such a network encodes a joint probability distribution over the set of random variables, given by the product rule as follows:

p(X1 , X2 , . . . , Xn ) =

n 

p(Xi |PXi ) =

i=1

n  i=1

θXi |PXi

(1)

Thus, the joint probability distribution in Bayesian networks can be factored by local conditional distributions for each variable Xi , given the condition of its parents namely PXi . Due to these dependencies / conditions, much fewer probabilities ( p(Xi |PXi )) have to be specified for the joint probability distribution than with an exhaustive listing of 2n probabilities [35]. From the joint distribution, one can infer the ‘marginal’ probability for any particular variable Xi . This can be done by summing out the other variables. If we choose i>3, this can be written as:

p( Xi ) =

 X1

X2

X3

...

 Xi−1 Xi+1

...



p(X1, X2 , . . . Xn )

(2)

Xn

4.1. Bayesian attack graphs Bayesian attack graphs (BAG) are models that employ Bayesian networks to depict the security attack scenarios in an infrastructure or a system. Extending the notion of Bayesian networks, the nodes in a BAG can be used to represent system components that are vulnerable to attacks. The nodes can also be used to represent different states of the system / infrastructure that can result from various security violations. The edges in the BAG represent the exploitation of a vulnerability or a threat that results in a particular

 pAND (Xi |PXi ) =

0,∃ X j ∈ PXi |X j = F pe j , otherwise

(4)

j:X j

The above equation for pOR represents the binary Noisy-OR model [36], in which there can be multiple causal variables namely e1 , e2 , … en and an effect variable Y. Each of the ei s are sufficient to produce the effectY, with the absence of other causes. Also the ability of ei to result in Y is independent of the presence of other causes. In case of the attack graphs, if pe j represents the probability of causing the effect by exploiting only the vulnerability ej , and all the other causes ei , such that i = j, being absent, we can write pe j as follows [33]:

pe j = p ( Y

| X1 , X2 , . . . , Xi , . . . . Xn )

(5)

The leaky noisy-OR gate is a modification to this model, in which the effect can be true even when all its identified causes are false. This indicates a scenario in which all the causes for a particular effect cannot be completely enlisted, as is the usual case in attack graphs, wherein newer vulnerabilities can surface to expose a particular node in the system. It can be modeled by having an additional parameter pe0 , which indicates the probability of having the effect Y with all the unlisted / unidentified causes [33].

pe0 = p ( Y

| X1 , X2 , . . . , Xn )

(6)

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

The following equation represents the leaky noisy-OR gate probability, factoring in pe0 [33]:







pLOR Xi |PXi = 1 − (1 − pe0 )

 1 − pe j j:X j



(7)

( 1 − pe0 )

4.2. Inference in Bayesian attack graphs Given C1 as a single instantiated variable or a conjunction of instantiated variables, and C2 as a conjunction of instantiated variables, inference in Bayesian networks implies calculating p(C1 |C2 ) [37]. In simpler terms, the aim of the inference exercise is to determine the probability of C1 to have some instantiation, when we know the values of instantiations C2 . As a restricted case of the probabilistic inference, many real world applications involve the important activity of determining p(C = T rue), for some propositional variable C [37]. In an attack graph, we will be interested to determine the unconditional probability distributions at nodes namely p(Xi = True), rather than p(Xi |PXi ) [7]. This value depicts the probability of an attacker reaching a particular node of interest in the system or cause a particular security condition as a result of the attack. By employing Baye’s rule, p(Xi ) can be determined from the individual conditional probabilities of all the other variables except Xi i.e. (X − Xi ) [7]:

p(Xi ) =

 X−Xi

p( X ) =

n 

p(Xk |PXk )

(8)

X−Xi k=1

The Maximum A Posteriori (MAP) and Most Probable Explanation (MPE) are among the two popular approaches [38] for finding explanations in Bayesian Attack Graphs given a set of observations. We formally define these two approaches below. MAP: Let us assume that θ represents the parameter vector to be estimated from the sample set of observation vectors x = (x1 , x2 ,…, xn ). Let f(.|θ ) represent the probability distribution function (PDF) of x and let g represent the prior PDF of θ . Then we have the MAP estimate θ MAP defined as follows [39]:

θMAP = argmaxθ g(θ |x ) = argmaxθ f (x|θ )g(θ )

(9)

MPE: Given the evidence e, the MPE refers to the complete instantiation of the variables in the Bayesian Network, which yields highest probability and still consistent with the evidence [40]. If p(x) represents the probability of a complete variable instantiation x, then we have the MPE defined as follows [40]:

MP E (e ) def ar gmaxx∼e p(x ) = ar gmaxx∼e



θx | P x

(10)

xPx ∼x

where ∼ represents the compatibility with the instantiations. 4.3. Inference algorithms for BAG Performing exact inference by finding out the unconditional probabilities p(Xi ) of all the graph nodes, is known to be a NP-hard problem [37], limiting their usage. However reasonable estimations can be obtained on moderately smaller graphs similar to the one that we have presented in this article. Exact inference techniques employ efficient ways of performing this calculation. The procedure of taking advantage of the conditions inherent in the Bayesian network to avoid having to deal with exponentially large joint distributions is called the Variable Elimination technique. However this technique has a limitation that it has to be repeated once per variable that is of our interest [41]. To overcome this limitation, the message passing techniques such as the Junction Tree algorithms can be employed. The Junction Tree (JT) (also called as the Join Tree [41]) algorithms attempt to create an undirected tree structure from the

5

given Bayesian network, having the nodes as the cliques of a triangulated graph obtained from the network, satisfying pre-set conditions. The Shenoy-Shafer algorithm [42] carries out inference from a JT, by collecting the information from different parts of the tree. This is accomplished by sending messages only between the neighboring nodes of the tree. The message from a node vi to a neighboring node vj is computed as follows [41]:

ψvi →v j = ψvi



ψvk →vi

(11)

v k ∈ N b ( v i )\ v j

where ψvi denotes the initial probability potential [42] on the node vi , ψvk →vi denotes the messages from vk to vi and Nb (vi ) denotes the neighboring nodes of the node vi . The complexity of these algorithms is exponential in the number of nodes in the largest clique of the graph. This can pose a limitation to its employability in bigger graphs. An alternative is to perform an approximate inference using the Loopy Belief Propagation (LBP) algorithm [43], which has better scalability. While approximate inference in Bayesian networks is also known to be NP-Hard [44], they can provide better efficiency compared to the exact inference algorithms in the case of larger and denser graphs [8]. The LBP algorithm relies on using the factor graphs (as described in [45]) generated from the given Bayesian Network. These are bipartite graphs that contain nodes for the factors of the joint probability distribution of the BN, in addition to the variables of the BN. In a parallel LBP implementation, the messages are updated to all the nodes and the factors together, by using the message values from the previous iteration, with each iteration having two steps of message updates: one for the messages from nodes to the factors and the second step from factors to the nodes. Message from node Xi to factor ωj at iteration τ can be depicted as [8]:

ψX(iτ,ω) j (Xi ) =

 ωk ∈{Fi −ω j }

) ψω(τk ,−1 X Xi ( i )

(12)

where Fi represents the factors in the neighborhood of the node Xi . Message update from the factor ωi to a node Xj can be depicted as [8]:

      (τ ) ψω(τi ,)X j X j = ωi X j , Xs ψXk ,ω j (Xk ) Xk ∈Xs

(13)

Xk ∈Xs

The marginal probabilities of the nodes are then computed with these updated messages, as shown below [8]:

p(Xi ) =

 ω j ∈Fi

ψω j ,Xi (Xi )

(14)

Computational Complexity of the algorithms: Exact inference in Bayesian networks has been shown to be NP-Hard [37] and is computationally very expensive. For a junction tree with n cliques, the worst case execution time is given as [46]:

n(logn ) ∗ r w

(15)

where, w represents the clique width and r represents the maximum range or the number of states of the variable [46]. Approximate probabilistic inference has also been shown to be NP-Hard [47]. Consider the conditional probabilities in the interval [l, u], with 0 < l < u < 1. If λ is defined to be the ratio of upper bound u to lower bound l i.e. λ = u/l, then Dagum and Luby [47] discuss the possibility of finding a threshold λt , such that for cases where λ ≤ λt , the approximate probabilistic inference becomes polynomial time (or randomized polynomial) and NP-Hard otherwise. It has been shown that for any constant c, the approximate probabilistic inference is polynomial when λ ≤ 1 + c(logn)/n [47].

6

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

5. Attack graph metrics Security metrics represent the measurable attributes of the security aspect of a system or an infrastructure, characterizing the vulnerabilities inherent and the effectiveness of the measures taken to overcome them. Idika and Bhargava [11] and Noel and Jajodia [10] have enlisted several security metrics for use in analyzing the attack graphs (AG). These metrics aid in quantifying the security attributes and thus carry out an informed risk analysis of the infrastructure that the attack graph represents. (a) Shortest path (SP): The SP metric [48] indicates the length of the smallest attack path that can lead to a security condition violation beginning from the attacker node in the graph. This metric depicts the least amount of effort required by the attacker to cause a security violation. Let j represent the total number of attack paths in the AG. If pai , 0 < i < j represents an attack path in the AG and if l(pai ) represents the length of the path pai , then the metric SP can be denoted as follows:

SP = min0
(16)

(b) Normalized mean of path lengths (NMPL): The NMPL metric [11] is obtained by dividing the mean of the different attack path lengths in the AG (μl(pa) ) by the total number of the attack paths (η). This metric shall give an insight to the vulnerability of the system by taking into consideration of the various possible attack paths, which is normalized by considering the total number of such paths in the AG.

Nμl ( pa) =

μl ( pa) η

(17)

(c) The Standard deviation of path lengths (SDPL): The SDPL metric [11] provides an insight into the complexities associated with various paths in the AG. Paths having their lengths below this metric can prove to be the easy target paths for the attackers, and hence require a closer consideration from system security experts.



σl ( pa) =

i



l ( pai ) −

η

μl ( pa)

2 (18)

6. BAG for virtualized infrastructures BAG can provide valuable insights while assessing the security risks in platform virtualized infrastructures. We build upon the concepts introduced in [12], to employ Bayesian inference techniques and perform Sensitivity analysis for the identified security scenarios in virtualized infrastructures. Fig. 2. shows the resulting BAG based on the attack paths identified threats and attack paths as depicted in Fig. 1. The BAG encapsulates all the possible attack paths from the threat model, based on the reported vulnerabilities at different layers of the virtualization stack. The impacted components of the infrastructure are identified at each stage and the resulting broad security violations are captured as individual nodes of the BAG. The leaf nodes represent the classes of the impact from the security violations. The node labels in the BAG also contain the abbreviations mentioned in the parentheses, which are used to refer to them in the results section. The BAG also includes nodes representing the management server and the image storages. The management server is often part of the cloud middleware, which is the central node for performing all the administrative tasks in the cloud infrastructure. Compromising this server can thus lead to an attack on the entire infrastructure. The image storage is a repository of all the various OS images and user snapshots that are used to run the virtual machines. If the image storage gets compromised, then malicious image files can be planted

by the attacker that can boot and act as a Trojan horse in a stealth manner. Fig. 3. displays the Conditional Probability Table (CPT) values that are derived for the nodes of the BAG. The top nodes of the BAG are assigned with very high probabilities, indicating the actors’ willingness to attack the infrastructure. However a low probability is assigned to the Malicious Admin. This is because of the assumption that the administrators are often carefully screened by the data center companies and thus the chances of an admin turning malicious are lesser compared to the probability of remote attackers. To derive the CPT values for the intermediary nodes, the following process is carried out. A careful analysis of the attacks described in Section III.A, has been carried out and the vulnerabilities listed in the National Vulnerability Database [49] related to the identified threats have been enlisted. We have analyzed the vulnerabilities reported in the duration of January 2016 to March 2019. The exploitability sub-metric from the Common Vulnerability Scoring System (CVSS) [50] score is used to derive the CPT values as indicated in [7] and [9]. This sub-metric represents the difficulty level of the attack or threat in discussion. The CPT values have been derived by normalizing the exploitability scores and then arrive at a weighted average score based on the overall CVSS score (with the weights assigned in the descending order for the vulnerabilities marked as Critical, High and Medium respectively). 7. Experimental results The BAG has been modeled and analyzed using the SamIam [51], which is a Java based tool for performing sensitivity analysis, modeling and inference in Bayesian networks.. The simulations have been executed on a workstation having the Intel Xeon CPU E3-1226 v3 (3.3 GHz) processor with 16 GB RAM, with Windows 10 as the operating system along with Java Runtime Environment (JRE) 1.8.0_172. With this model, we have carried out experiments to draw various MAP estimations and derive explanations for queries using the developed model and the assigned CPT values. Fig. 4. shows the plot of p(MAP,e) and p(MAP|e) for various MAP target variables for two scenarios: (a) with the evidence Infrastructre_DOS=true and (b) Infrastructre_DOS=true and Remote_Attacker=true. For scenario (b), it can be seen that the MAP value peaks out for the Malicious_Admin variable, indicating that when given an evidence of an Infrastructure DOS happening and in the absence of a remote attack, the probability of an admin turning malicious is significantly higher. We have also depicted additional series including Pr(MAP,e) and Pr(MAP|e) for the evidence I_DOS=True and RA=True. The variation shows the usage of approximate values for MAP. Approximate methods in calculation are known to be suitable for large models, as the complexity of exact algorithms can be exponential. The values being low for I_DOS=T for CC, HYC and TC variables, can be attributed to an insider admin turning malicious carrying out attacks to compromise the chipset, hypervisor and thus all the tenants in the host [27,28]. The increase for the DB variable for RA=T evidence can be attributed to the data thefts that can result from exploiting hypervisor and guest OS vulnerabilities [22,23,24]. Table 1 shows the results of the evidence impact tool of SamIam. When the evidence is set as Tenant_A_Compromised=True, we get the results shown in the table. The results are listed in a decreasing order of the impact. As it can be seen highest impact on the malicious guest user node, with a value of 0.356. This can indicate that the likelihood of the guest user to exploit some of the hypervisor vulnerabilities or to build covert side channels are high with this situation. This is also reflected by the fact that the impact list has an entry for the hypervisor getting compromised as well. In

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

7

Fig. 2. BAG for the identified threats in cloud infrastructures. Table 1 Impact of evidence Tenant_A_Compromised =true. Parameter

Impact

malicious_guest_user Malicious_Admin Remote_Attacker Hypervisor_Compromised Chipset_Compromised Memory_Compromised CPU_Compromised IO_Compromised Host_OS_Compromised Data_Breach Host_Crash Mgmt_Server_Compromised Image_Storage_Compromised Infra_DoS

0.35663 0.33032 0.29157 0.11121 0.07587 0.04014 0.03967 0.01789 0.01445 0.01129 0.00739 0.00544 0.00178 0.00055

this manner, the analysts can set various evidence values, and perform an analysis on the other nodes in the graph to assess the impact of the evidence. The impact of the evidence varies

slightly with different inference algorithms employed. Fig. 5 shows the variation in evidence impact between the Shenoy-Shafer and LBP inference algorithms. As explained earlier, depending on the structure and complexity of the graph to be analyzed one can choose the corresponding inference algorithm for reasoning. The figure also depicts the error bars for values obtained from multiple runs, as well as the difference between the values for the two algorithms. This also indicates good concurrence of the inference results with different algorithms used for calculation. The BAG has been used to draw the MPE for the different conditional probability assignments. The BAG provided here can be used for altering the evidences and check the instantiations for the different variables using the MPE scheme. This will allow the administrators to carry out a systematic analysis of the different components in the BAG and their impact. A quick MPE level sensitivity analysis can also be performed on the BAG for assessing the change in impact of the variable values. Fig. 6 shows the conditional probabilities of the different variables required for flipping the MPE with the evidence given as DB=True. Error bars represent the variation in the values Pr(x|y), for calculating the MPE with the evidence set as DB=True. Here the MPE calculation is a special

8

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

Fig. 3. CPT values for the BAG nodes derived from CVE metrics.

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

9

Table 2 Metric values from the BAG for virtualized infrastructures.

Fig. 4. Plot of p(MAP,e) and p(MAP|e) for various MAP variables with evidence I_DOS=T and RA=T.

Fig. 5. Evidence impact with Shenoy Shafer and LBP inference algorithms with evidence IO_Compromised=True.

Metric

Value

SP Shortest path length η No. of attack paths μl(pa) Mean Path length Nμl(pa) Normalized Mean Path Length σ l(pa) Standard deviation of path lengths

1 45 4.02 0.08933 1.390266

case wherein all of the nodes with unobserved values are selected as MAP variables. The obtained values indicate less variation w.r.t multiple trial runs. As it can be seen from the graph, the analysis shows a drastic change required for some of the CPT entries, while a small value change for others, to flip the MPE. This will give an insight to the system administrators on the effectiveness of the countermeasures to be introduced at different stages in the infrastructure. The MPE analysis can be used to highlight on how little or how significant a countermeasure could impact, given the evidence of a security violation. Table 2 shows the metric values obtained for our BAG. The shortest path length of the attack paths is 1, indicating that a single hop in the AG can result in a security violation in the infrastructure. For example, a malicious guest user can exploit some of the side channel vulnerabilities to compromise the guest in the cloud infrastructure. The total number of attack paths in the BAG can be seen as high as 45. This clearly indicates the susceptibility of virtualized infrastructures through multiple paths. The fact also highlights the need for attention from the security architects and system admin for incorporating additional measures to secure them. The Mean Path length metric μl(pa) , is 4.02, indicating an average traversal of 4 nodes in the attack paths to result in a security violation condition. The Normalized Mean Path Nμl(pa) is at 0.08933, which can be used to compare other Attack graphs for evaluating

Fig. 6. Conditional probabilities for MPE and the changes required to flip the MPE for the evidence DB=true.

10

B. Asvija, R. Eswari and M.B. Bijoy / Journal of Information Security and Applications 51 (2020) 102455

the security metrics. The Standard deviation of path lengths σ l(pa) for the BAG is at 1.390266, which indicates the existence of many paths with length as less as 3, which can result in a security violation. 8. Conclusion We have presented an approach of using the BAG for platform virtualized infrastructures. Our analysis presents a model based on the explanation and inference techniques used to analyze the Bayesian networks. We have shown the different explanation criteria for the BAG model presented and also carried out inference based on well-known Bayesian inference techniques. We have also evaluated the different security metrics for our BAG. The model presented here can be used as a base reference model by system administrators and architects of virtualized infrastructures for designing and evaluating the security risks associated. The model can also be used in the design of security frameworks by introducing countermeasures at various stages to result in different conditional probability assignments, and thus evaluate their effectiveness to impact the risk associated with the overall infrastructure. Declaration of competing interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. References [1] Vahdat-Nejad H, Eilaki SO, Izadpanah S. Towards a better understanding of ubiquitous cloud computing. Int J Cloud Appl Comput (IJCAC) 2018;8(1):1–20. doi:10.4018/IJCAC.2018010101. [2] Scarfone K, Souppaya M, Hoffman P. Guide to security for full virtualization technologies - Recommendations of the national institute of standards and technology. NIST Gaithersburg, MD, USA; 2011. [3] Gupta BB. Computer and cyber security: principles, algorithm, applications, and perspectives. CRC Press; 2018. [4] Liu Y, Man H. Network vulnerability assessment using bayesian networks. Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005;5812(Mar):61–71. [5] Xie P, Li JH, Ou X, Liu P, Levy R. Using bayesian networks for cyber security analysis. In: Dependable Systems and Networks (DSN), 2010 IEEE/IFIP international conference on; 2010. p. 211–20. doi:10.1109/DSN.2010.5544924. [6] Frigault M, Wang L, Singhal A, Jajodia S. Measuring network security using dynamic bayesian network. In: 4th ACM workshop on Quality of protection; 2008. p. 23–30. [7] Munoz-González L, Sgandurra D, Barrere M, Lupu EC. Exact inference techniques for the analysis of bayesian attack graphs. IEEE Trans Dependable Secure Comput 2017 1-1. doi:10.1109/TDSC.2016.2627033. [8] Munoz-Gonzalez L, Sgandurra D, Paudice A, Lupu EC. Efficient attack graph analysis through approximate. ACM Trans Privacy Security (TOPS) 2017;20(3):10. doi:10.1145/3105760. [9] Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using bayesian attack graphs. IEEE Trans Dependable Secure Comput 2012;9(1):61– 74. doi:10.1109/TDSC.2011.34. [10] Noel S, Jajodia S. Metrics suite for network attack graph analytics. In: Proceedings of the 9th Annual Cyber and Information Security Research Conference; 2014. p. 5–8. doi:10.1145/2602087.2602117. [11] Idika N, Bhargava B. Extending attack graph-based security metrics and aggregating their application. IEEE Trans Dependable Secure Comput 2012;9(1):75– 85. doi:10.1109/TDSC.2010.61. [12] Asvija B, Eswari R, Bjioy MB. Security in hardware assisted virtualization for cloud computing-state of the art issues and challenges. Comput Networks 2019;151(March):68–92. doi:10.1016/j.comnet.2019.01.013. [13] Neapolitan RE. Learning bayesian networks (Vol. 38). Upper Saddle River, NJ: Pearson Prentice Hall; 2004. [14] Heckerman D, Geiger D, Chickering DM. Learning bayesian networks: the combination of knowledge and statistical data. Mach Learn 1995;20(3):197–243. [15] Cheng J, Greiner R, Kelly J, Bell D, Liu W. Learning bayesian networks from data: an information-theory based approach. Artif Intell 2002;137(1–2):43–90. [16] Smith JE, Nair R. The architecture of virtual machines. IEEE Comput 2005;38(5):32–8. doi:10.1109/MC.2005.173. [17] Intel. Intel® 64 and IA-32 architectures software developer’s manual volume 3C: system programming guide, part 3. Intel Corporation; 2016.

[18] Pék G, Buttyán L, Bencsáth B. A survey of security issues in hardware virtualization. ACM Comput Surveys (CSUR) 2013;45(3):40. [19] Rutkowska J. Red pill. or how to detect vmm using (almost) one cpu instruction. Internet Archive; 2004. [20] Brengel M, Michael B, Christian R. Detecting hardware-assisted virtualization. In: DIMVA; 2016. p. 207–27. [21] Sharkey J. Breaking hardware - Enforced Security with hypervisors. Blackhat USA; 2016. [22] Geffner J. VENOM - Virtualized Environment neglected operations manipulation. CrowdStrike.com 2015. [Online]. Available http://venom.crowdstrike.com/ [Accessed August 2016]. [23] NIST National vulnerability database - CVEs for kvm. Inf Technol Lab 2018. 26 March[Online]. Available https://nvd.nist.gov/vuln/search/results?adv_search= false&form_type=basic&results_type=overview&search_type=all&query=KVM . [24] NIST National vulnerability database - CVEs in xen. Inf Technol Lab 2018. 26 March[Online]. Available https://nvd.nist.gov/vuln/search/results?adv_search= false&form_type=basic&results_type=overview&search_type=all&query=xen . [25] Pék G, Lanzi A, Srivastava A, Balzarotti D. On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment. In: Proceedings of the 9th ACM symposium on Information, computer and communications security. ACM; 2014. p. 305–16. [26] Richter A, Herber C, Rauchfuss H, Wild T. Performance isolation exposure in virtualized platforms with pci passthrough i/o sharing. In: nternational Conference on Architecture of Computing Systems. Springer International Publishing; 2014. p. 171–82. [27] Gorobets M, Bazhaniuk O, Matrosov A, Furtak A, Bulygin Y. Attacking hypervisors via firmware and hardware. Black hat USA; 2015. [28] Kallenberg C, Cornwell S, Kovah X, Butterworth J. Setup for failure: defeating secure boot. Hack In The Box - HITB; 2014. [29] Inci M, Gulmezoglu B, Irazoqui G, Eisenbarth T, Sunar B. Cache attacks enable bulk key recovery on the cloud. In: ICCHE Conference, 2016. Springer Berlin Heidelberg; 2016. p. 368–88. [30] Yarom Y, Falkner K. FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack. USENIX Security 2014;2014(August):719–32. [31] Zouhair C, Abghour N, Moussaid K, El Omri A. A review of intrusion detection systems in cloud computing. Security Privacy Smart Sensor Netw 2018:253–83. doi:10.4018/978- 1- 5225- 5736- 4.ch012. [32] Almomani A, Alauthman M, Albalas F, Dorgham O, Obeidat A. An online intrusion detection system to cloud computing based on Neucube algorithms. Int J Cloud Appl Comput (IJCAC) 2018;8(2):96–112. doi:10.4018/IJCAC.2018040105. [33] Onis´ ko A, Druzdzel MJ, Wasyluk H. Learning Bayesian network parameters from small data sets: application of noisy-or gates. Int J Approx Reason 2001;27(2):165–82. doi:10.1016/S0888-613X(01)0 0 039-1. [34] Friedman N, Geiger D, Goldszmidt M. Bayesian network classifiers. Mach Learn Nov 1997;29(2–3):131–63. doi:10.1023/A:1007465528199. [35] Bouckaert RR. Bayesian belief networks: from construction to inference. Utrecht, The Netherlands: University Utrecht; 1995. [36] Pearl J. Probabilistic reasoning in intelligent systems: networks of plausible inference. San Francisco, CA, USA: Morgan Kaufmann; 1988. [37] Cooper GF. The computational complexity of probabilistic inference using bayesian belief networks. Artif Intell 1990;42(2–3):393–405. doi:10.1016/ 0 0 04-3702(90)90 060-D. [38] Yuan C, Lu TC. Finding explanations in bayesian networks. In: 18th International Workshop on Principles of Diagnosis; 2007. p. 414–19. [39] Gauvain JL, Lee CH. Maximum a posteriori estimation for multivariate gaussian mixture observations of markov chains. IEEE Trans Speech Audio Process 1994;2(2):291–8. doi:10.1109/89.279278. [40] Chan H, Darwiche A. On the robustness of most probable explanations. In: 22nd Conference on Uncertainty in Artificial Intelligence; 2006. p. 63–71. [41] Salmerón A, Rumí R, Langseth H, Nielsen TD. A review of inference algorithms for hybrid Bayesian networks. J Artif Intell Res 2018;62(2018):799–828. doi:10. 1613/jair.1.11228. [42] Shenoy PF, Shafer G. Axioms for probability and belief-function propagation. Uncertainty Artif Intell 4 1990;9:169–98. [43] Pearl J. Probabilistic reasoning in intelligent systems - Networks of plausible inference. Morgan Kaufmann 1988. [44] Koller D, Friedman N. Probabilistic graphical models - Principles and techniques. Cambridge, MA: MIT Press; 2009. [45] Bishop CM. Pattern recognition and machine learning. Springer; 2006. [46] Namasivayam VK, Prasanna VK. Scalable parallel implementation of exact inference in Bayesian networks. In: 12th International Conference on Parallel and Distributed Systems-(ICPADS’06); 2006. p. 8. [47] Dagum P, Luby M. Approximating probabilistic inference in bayesian belief networks is NP-hard. Artif Intell 1993;60(1):141–53. doi:10.1016/0 0 04-3702(93) 90036-B. [48] Swiler LP, Phillips C. A graph-based system for network-vulnerability analysis. Sandia National Labs No. SAND-98-1127C; CONF-980914 Albuquerque, NM (United States); 1998. doi:10.2172/573291. [49] Computer Security Resource Center. National vulnerability database - NVD. National Institute of Standards and Technology; 2017. [Online]. Available https: //nvd.nist.gov/ [Accessed 7 July]. [50] Mell P, Scarfone K, Romanosky S. A complete guide to the common vulnerability scoring system. cvss specification document.. NIST and CMU; June 2007. [Online]. Available https://www.first.org/cvss/cvss- v2- guide.pdf. [51] Automated Reasoning Group, UCLA, Samiam: sensitivity analysis, modeling, inference and more., [Online]. Available: http://reasoning.cs.ucla.edu/samiam/.